Binalyze Tool Evaluation Initial Impression
This post results from the project “DFIR & Threat Intelligence” within the Munich Cyber Security Program (MCSP). The MCSP is a cooperation project between Champlain College and Com|Code (Germany). This project focuses on new developments in the Digital Forensics and Incident Response fields as well as performing research for clients of Com|Code.
After two weeks of working with Binalyze and some interesting troubleshooting (apparently, special characters will break HTTPS security certificates), initial impressions of the tool is quite strong. It is by no means an all-in-one security platform, but remains very strong as an Incident Response (IR) and evidence acquisition tool. Actually, it is more accurate to call it a suite of tools. AIR is Binalyze’s main product and the central server that all of their other tools communicate to. It provides the UI to perform investigations. TACTICAL is probably the most intensive tool in the suite, performing data gathering and memory acquisition on endpoints incredibly fast (<30 min) with a small program (able to run on a USB). DRONE scans through both file systems and running memory to identify security threats, Indicators of Compromise (IoCs), malicious activity/files, and assigns all of this information with a score so that AIR can display the most crucial information immediately. These, along with some more minor tools, operate well together to help a digital forensics investigator collect and sort through an impossible amount of data that can be present in an enterprise environment.
The initial installation of Binalyze’s suite is of AIR. It requires a license key and will ask for login information. It is important to note here, do NOT include a special character in the “Organization” field during initialization. Doing so will result in a communication error between AIR and the endpoints (called “agents”). Binalyze is aware of the problem and it may have been fixed since this publication but we cannot confirm this currently. After installation, the entire suite of tools becomes available. Within AIR, you can perform and schedule data acquisition, create cases to store evidence, create timelines (which is automated), and much more. However, before all that, we first have to make our client machines agents.
Deployment onto client machines is incredibly easy. As always, it’s possible to install via the Software Installation option in a Group Policy. If this is not an option, or if you are using an OS that has a web browser, Binalyze comes with a website to install the agent software without requiring authentication. For Linux-based operating systems, there are both curl and wget commands to pull either the Debian, or RPM installer, which runs as a single script. Within a second of finishing the installation, these machines appear in the AIR console and are ready to be investigated.
There are over 100 different evidence types collected via Binalyze’s TACTICAL program which runs locally on the endpoints. There appears to be more support for Windows than any other OS, but the data gathered from each is incredibly useful during a forensic investigation. It is also possible to select/create profiles to filter which types of evidence are collected. This data is collected into a separate folder before it is zipped and sent to the main AIR server. We recommend either selecting a folder with restricted privileges or changing the permissions of the default location because the default configuration allows any authenticated user to modify its content, potentially leading to a data integrity issue. TACTICAL runs with System-level privileges, so there is no worry about the tool breaking after assigning a more restrictive policy. There is also SFTP, SMB, FTPS, AmazonS3, and Azure Blob support, though a temporary, local location is required to store files initially.
Binalyze’s DRONE program scans an agent’s entire file system and processes running in memory for suspected malicious activity. While it could use some work, has identified major threats we introduced to our test network, assigning them each a severity score and highlighting them for an investigator.
Binalyze also comes with an extended array of functionality that would serve useful in an IR case. Without diving too far into the technical aspects, it is possible to isolate a computer, scan for known security threats, open a command-line connection to a computer, and schedule data acquisitions, among others.
While our evaluation started off a bit rocky, it is clear that the functionality provided by Binalyze would serve useful in many corporate or enterprise solutions. Thanks to AIR’s easy deployment and TACTICAL’s speed in acquiring evidence, it is great for an Incident Response investigator to capture large amounts of data and gain a base understanding of what is occurring within a network. This suite clearly could compete with other acquisition tools currently on the market; stay tuned to this blog and we may just compare some.
-Written by Joseph Fustolo ‘23 //Digital Forensics & Cybersecurity